US20120017088A1 - Wireless local area network terminal pre-authentication method and wireless local area network system - Google Patents

Wireless local area network terminal pre-authentication method and wireless local area network system Download PDF

Info

Publication number
US20120017088A1
US20120017088A1 US13/257,749 US200913257749A US2012017088A1 US 20120017088 A1 US20120017088 A1 US 20120017088A1 US 200913257749 A US200913257749 A US 200913257749A US 2012017088 A1 US2012017088 A1 US 2012017088A1
Authority
US
United States
Prior art keywords
destination
current
authentication
certificate
sta
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US13/257,749
Other versions
US8533461B2 (en
Inventor
Jiabing Liu
Yuanqing Shi
Jiehui LIANG
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=41095556&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=US20120017088(A1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by ZTE Corp filed Critical ZTE Corp
Assigned to ZTE CORPORATION reassignment ZTE CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LIANG, JIEHUI, LIU, JIABING, SHI, YUANQING
Publication of US20120017088A1 publication Critical patent/US20120017088A1/en
Application granted granted Critical
Publication of US8533461B2 publication Critical patent/US8533461B2/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/047Key management, e.g. using generic bootstrapping architecture [GBA] without using a trusted network node as an anchor
    • H04W12/0471Key exchange
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key

Definitions

  • the present invention relates to the wireless local area network (WLAN) field, and particularly, to a method for pre-authenticating a wireless local network terminal which supports the WLAN Authentication and Privacy Infrastructure (WAPI) and a wireless local area network system.
  • WLAN wireless local area network
  • WAPI WLAN Authentication and Privacy Infrastructure
  • the WAPI mechanism mainly relates to following three entities: a wireless station (STA), a wireless access point (AP) and an authentication server.
  • STA should complete two parts of works: one is to complete the certificate authentication process, and generate a basic key in this process; and the other is to negotiate keys based on the basic key, including unicast key negotiation and the multicast key notification.
  • FIG. 1 the following steps are comprised:
  • the AP sends an authentication activation packet to the STA to start the certificate authentication process
  • the authentication activation packet includes fields such as: an AP certificate, ECDH (Elliptic Curve Diffie-Hellman) parameters and so on.
  • the STA after receiving the authentication activation packet, the STA saves the AP certificate which is used to verify the signature of the AP in the subsequent operations, and generates a temporary private key sx and a temporary public key px which are used in the ECDH exchange.
  • the STA generates an access authentication request packet, and sends the access authentication request packet to the AP;
  • the access authentication request packet includes fields such as a temporary public key px, the STA certificate and so on, and a signature value signed on above fields by the STA.
  • the certificate authentication request packet includes: the STA certificate and the AP certificate.
  • the authentication server After receiving the certificate authentication request packet, the authentication server verifies the STA certificate and the AP certificate;
  • the STA and AP complete the bidirectional identity authentication (namely the certificate authentication), and set up the Base Key Security Association (BKSA).
  • the BKSA includes parameters such as a BK, and a base key identifier (BKID) and so on.
  • the AP sends a unicast key negotiation request packet to the STA;
  • the unicast key negotiation request packet includes parameters such as the BKID, ADDID, and N 1 and so on, wherein
  • the AP sends a multicast key notification packet to the STA;
  • the multicast key notification packet includes fields such as: the ADDID, key data, message authentication code and so on.
  • the destination AP After receiving the pre-authentication initiation packet, the destination AP verifies the signature of the current AP, and after the verification is successful, the destination AP sends a certificate authentication request packet to the authentication server, the certificate authentication request packet including the certificate of the current AP, the certificate of the destination AP and a signature of the destination AP; and
  • FIG. 3 is a schematic diagram of the format of the pre-authentication packet
  • FIG. 4 is structural schematic diagram of the wireless local area network system which can implement the above method of the present invention.
  • the core idea of the present invention is: after an AP which has set up a security association with a STA (called the current AP for short) receives a pre-authentication start packet sent by the STA, the current AP verifying the destination AP certificate through the authentication server, and after the certificate is verified successfully, the current AP sending the key information of the security association set up with the STA to the destination AP; and the destination AP saving said key information, thereby completing the pre-authentication.
  • FIG. 2 is a flow chart of the method for pre-authenticating a wireless local area network terminal according to an example of the present invention, including the following steps:
  • the STA after setting up the security association with the current AP, the STA starts to scan APs actively or passively if the signal intensity of the current AP is lower than a preset threshold when the STA moves in the Extended Service Set (ESS).
  • ESS Extended Service Set
  • the current AP after receiving the pre-authentication start packet, the current AP sends a pre-authentication initiation packet to the destination AP through the Distributed System (DS) to active the certificate authentication process.
  • DS Distributed System
  • the destination AP after receiving the pre-authentication initiation packet, the destination AP verifies the signature of the current AP, and after the verification is successful, the destination AP sends a certificate authentication request packet to the authentication server to carry out the identity authentication.
  • the certificate authentication request packet includes information such as: the MAC address of the destination AP, the MAC address of the current AP, the destination AP certificate and the current AP certificate and so on.
  • the authentication server verifies the destination AP certificate and the current AP certificate, and includes the verification results of the destination AP certificate and the current AP certificate into a certificate authentication response packet, and attaches a signature of the authentication server, and then sends the certificate authentication response packet to the destination AP.
  • the pre-authentication response packet includes information such as: the signature of the destination AP, the signature of the authentication server, and the verification result of the destination AP certificate and so on.
  • Above key information includes BKSA parameters such as: a base key identifier (BKID), base key (BK) and so on; besides, the key information can further include USKSA parameters such as the unicast session key identifier (USKID), unicast session key (USK) and so on.
  • BKID base key identifier
  • USK unicast session key identifier
  • USK unicast session key
  • the destination AP uses the key encryption key (KEK) in the unicast session key to encrypt the notification master key (NMK) to generate the key data, and uses the message authentication key to calculate the message authentication code, and includes the key data and message authentication code into a multicast key notification packet and sends the multicast key notification packet to the STA.
  • KEK key encryption key
  • NMK notification master key
  • the STA after receiving the multicast key notification packet, the STA checks the message authentication code, and after the check is passed, decrypts the key data to obtain the notification master key, and uses the KD-HMAC-SHA256 algorithm to expand the notification master key, and generates the multicast key (which includes 16 bytes multicast encryption key and 16 bytes integrity check key).
  • the STA sends a multicast key response packet to the destination AP to complete the multicast key notification process.
  • the destination AP sends a pre-authentication completion packet to the current AP through the DS to inform the current AP that the pre-authentication has been completed.
  • the current AP can only send the BKSA parameters to the destination AP, and the destination AP uses the BK in the BKSA to negotiate with the STA to generate a new USK.
  • the negotiation of the unicast session key can also be carried out after STA is switched to be the destination AP.
  • the destination AP and the STA may not carry out the multicast key negotiation during the pre-authentication process until the STA is switched to be the destination AP.
  • the destination AP can directly sends a pre-authentication response packet including the destination AP certificate to the current AP, and the current AP sends a certificate authentication request packet including the current AP certificate and the destination AP certificate to the authentication server, and the authentication server verifies the current AP certificate and the destination AP certificate, and sends the verification result together with the key information to the destination AP.
  • the destination AP and the current AP can use this public key to verify the certificate of the other party, without sending the certificate to the authentication server. Certainly, in this situation, it cannot verify whether the certificate of the other party is revoked.
  • said current AP is use for, after receiving a pre-authentication start packet sent by said STA, interacting with said destination AP to verify certificates of the two parties for each other;
  • said current AP is also used for sending the key information of the security association set up with said STA to said destination AP; said destination AP stores said key information;
  • Said key information includes a basic key generated by negotiation between the STA and the AP.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)

Abstract

A method for pre-authenticating a wireless local area network terminal and a wireless local area network system. The pre-authentication method includes after a current access point (AP) which has set up security association with a station (STA) receiving a pre-authentication start packet sent by the STA, the current AP interacting with a destination AP to verify certificates of the current AP and the destination AP for each other. If a certificate of the destination AP is verified to be valid, the current AP sending key information of the security association set up with the STA by the current AP to the destination AP, and the destination AP saving the key information, the key information including a basic key generated by negotiation between the STA and the current AP.

Description

    TECHNICAL FIELD
  • The present invention relates to the wireless local area network (WLAN) field, and particularly, to a method for pre-authenticating a wireless local network terminal which supports the WLAN Authentication and Privacy Infrastructure (WAPI) and a wireless local area network system.
    • BACKGROUND OF THE RELATED ART
  • At present, the wireless network security mainly adopts the security mechanism in the wireless local area network standard (IEEE 802.11) constituted by the Institute of Electrical and Electronics Engineers (IEEE). This mechanism adopts the Wired Equivalent Privacy (WEP), and this mechanism has been widely proved that it does not have the security equivalent to the wired network, and brings huge hidden danger in security to the wireless local area network.
  • In this situation, China has put forward a wireless local area network national standard GB15629.11 in May, 2003, which introduced a brand new security mechanism, namely the Wireless Local Area Network Authentication and Privacy Infrastructure (WAPI) to enhance the security of the wireless local area network, and has published an improved national standard (GB15629.11-2003/XG1-2006) in 2006.
  • The WAPI is comprised of the WLAN Authentication Infrastructure (WAI) and the WLAN Privacy Infrastructure (WPI), wherein the WAI adopts the elliptic-curve-based public key certificate system. The wireless station (STA) and access point (AP) carry out bidirectional identity authentication (certificate authentication) through the Authentication Server (AS). For the security of the transmission data, the WPI adopts the symmetric cryptographic algorithm SMS4 provided by the State Commercial Secret code Regulatory Commission Office in China for encryption and decryption to ensure the security of the data transmission.
  • The WAPI mechanism mainly relates to following three entities: a wireless station (STA), a wireless access point (AP) and an authentication server. To set up association with an AP and securely transmit data, STA should complete two parts of works: one is to complete the certificate authentication process, and generate a basic key in this process; and the other is to negotiate keys based on the basic key, including unicast key negotiation and the multicast key notification. As shown in FIG. 1, the following steps are comprised:
  • 101: the AP sends an authentication activation packet to the STA to start the certificate authentication process;
  • The authentication activation packet includes fields such as: an AP certificate, ECDH (Elliptic Curve Diffie-Hellman) parameters and so on.
  • 102: after receiving the authentication activation packet, the STA saves the AP certificate which is used to verify the signature of the AP in the subsequent operations, and generates a temporary private key sx and a temporary public key px which are used in the ECDH exchange.
  • 103: the STA generates an access authentication request packet, and sends the access authentication request packet to the AP;
  • The access authentication request packet includes fields such as a temporary public key px, the STA certificate and so on, and a signature value signed on above fields by the STA.
  • 104: after receiving the access authentication request packet, the AP verifies the signature of the STA (using the public key included in the STA certificate), and if the verification is unsuccessful, this access authentication request packet is discarded; or else the AP generates a certificate authentication request packet, and sends the certificate authentication request packet to the authentication server;
  • The certificate authentication request packet includes: the STA certificate and the AP certificate.
  • 105: after receiving the certificate authentication request packet, the authentication server verifies the STA certificate and the AP certificate;
  • 106: the authentication server constructs an certificate authentication response packet, which includes the verification results of the STA certificate and the AP certificate and attaches a signature of the authentication server, and sends the certificate authentication response packet to the AP;
  • 107: the AP verifies the signature of the authentication server, and after the verification is successful, further verifies the verification result of the STA certificate verified by the authentication server, and after the verification is successful, the following operations are carried out:
  • 107 a: a temporary private key sy and a temporary public key py used for ECDH exchange are generated;
  • 107 b: ECDH calculation is carried out using the temporary public key px sent by the STA and the temporary private key sy generated locally to generate a basic key (BK).
  • 108: the AP sends an access authentication response packet to the STA;
  • The access authentication response packet includes: a temporary public key py, a certificate verification result, a signature of the authentication server, and a signature signed on above fields by the AP.
  • 109: after receiving the access authentication response packet, the STA verifies the signature of the AP, the signature of the authentication server, and the certificate verification result, and if both of the signatures of the AP and the authentication server are correct, and the authentication server verifies the AP certificate successfully, the STA carries out the ECDH calculation using the temporary public key py and temporary private key sx to generate the BK.
  • It should be noted that according the principal of the ECDH, the BKs generated by the STA and the AP are the same.
  • Through above processes, the STA and AP complete the bidirectional identity authentication (namely the certificate authentication), and set up the Base Key Security Association (BKSA). The BKSA includes parameters such as a BK, and a base key identifier (BKID) and so on.
  • 110: the AP sends a unicast key negotiation request packet to the STA; The unicast key negotiation request packet includes parameters such as the BKID, ADDID, and N1 and so on, wherein
  • The BKID is the identifier of the BK obtained from the previous negotiation of the AP and STA;
  • ADDID is comprised of the Media Access Control (MAC) addresses of the AP and STA;
  • N1 is a random number generated by the AP.
  • 111: after receiving the unicast key negotiation request packet, the STA generates a random number N2, and then calculates:
  • Key=KD-HMAC-SHA256(BK, ADDID∥N1∥N2∥String); wherein
  • BK is the base key identified by the above BKID; KD-HMAC-SHA256 is the Hashed Message Authentication Code (HMAC) algorithm based on the SHA256 algorithm, namely a HASH algorithm with a key; String is a preset character string, which is “pairwise key expansion for unicast and additional keys and nonce” in the current standard; “∥” denotes a string concatenation operation, and “ADDID∥N1∥N2∥String” is the character parameter used by the KD-HMAC-SHA256 algorithm.
  • After calculating to obtain the Key, the STA extracts 64 bytes therein as the unicast session key (USK), including: 16 bytes unicast encryption key, 16 bytes unicast integrity check key, 16 bytes message authentication key, and 16 bytes key encryption key.
  • 112: the STA sends a unicast key negotiation response packet to the AP;
  • The unicast key negotiation response packet includes parameters such as: the BKID, random number N2 and so on.
  • 113: after receiving the unicast key negotiation response packet, the AP makes the following calculates:
  • Key=KD-HMAC-SHA256(BK, ADDID∥N1∥N2∥String), and extracts the USK therein.
  • 114: the AP sends a unicast key negotiation confirmation packet to the STA;
  • So far, the AP and STA complete the unicast session key negotiation flow, and set up the unicast session key security association (USKSA).
  • 115: the AP sends a multicast key notification packet to the STA;
  • The multicast key notification packet includes fields such as: the ADDID, key data, message authentication code and so on.
  • The key data field is the cryptograph generated by encrypting the notification master key by the AP using the key encryption key and the algorithm chosen in the negotiation of the AP and the STA. The notification master key is a 16 bytes random number generated by the AP.
  • The message authentication code is data resulting from calculation on all the protocol data fields before this field by the AP using the message authentication key and the HMAC-SHA256 algorithm.
  • 116: after receiving the multicast key notification packet, the STA verifies the message authentication code, and after the verification is passed, the STA decrypts key data to obtain the notification master key, and expands the notification master key using the KD-HMAC-SHA256 algorithm to obtain the multicast key.
  • 117: the STA sends the multicast key response packet to the AP to complete the multicast key notification process.
  • In the wireless local area network, there may be a plurality of APs existing. If the STA wants to handoff from the current AP to the destination AP, the STA requires carrying out the certificate authentication process and the key negotiation process with the destination AP over again. These processes will spend a lot of time, resulting in the handoff delay, and even breaking off the communication. Therefore, the WAPI puts forward the pre-authentication method.
  • In the WAPI mechanism, if the destination AP supports pre-authentication, after completing unicast session key negotiation with the current associated AP and installing the key, the STA can start the pre-authentication process. The authentication unit of the STA sends a pre-authentication start packet to active the pre-authentication process. The destination address (DA) of this packet is the Basic Service Set ID (BSSID) of the destination AP, and the source address (RA) is the BSSID of the current associated AP. The destination AP should use own BSSID as the Media Access Control (MAC) of the AP authentication unit. The current associated AP bridges the pre-authentication packet sent by the STA to the Distribution System (DS). The destination AP receiving the pre-authentication packet through the DS starts the certificate authentication process with the corresponding STA. If the certificate authentication process of the WAI is successful, the result of the pre-authentication is the Base Key Security Association (BKSA). After associating with the destination AP which completes the pre-authentication, the STA can use the BKSA to carry out the unicast key negotiation and the multicast key notification processes.
  • It can be seen from above description that the existing pre-authentication method in the WAPI is that the STA and AP carry out the identity authentication and key negotiation for each other in advance to reduce the handoff delay.
  • However, the current pre-authentication method has the following drawbacks: when the STA and the destination AP carry out the pre-authentication, the whole certificate authentication process and key negotiation process are still required to be carried out, and the pre-authentication process is rather complex; and when the STA requires carrying out pre-authentication with a plurality of APs, more time is spent, and more bandwidth resources are occupied, and the handoff delay of the STA is increased indirectly.
    • SUMMARY OF THE INVENTION
  • The technical problem to be solved in the present invention is to overcome the drawbacks in the prior art, and to provide a pre-authentication method and a wireless local area network system, which can quickly complete the pre-authentication of the wireless local area network terminal and occupies less bandwidth resources.
  • In order to solve the above problem, the present invention provides a method for pre-authenticating a wireless local area network terminal, comprising:
  • after a current access point (AP) which has set up security association with a station (STA) receiving a pre-authentication start packet sent by the STA, the current AP interacting with a destination AP to verify certificates of the current AP and the destination AP for each other; and
  • if a certificate of the destination AP is verified to be valid, the current AP sending key information of the security association set up with the STA by the current AP to the destination AP, and the destination AP saving the key information;
  • the key information including a basic key generated by negotiation between the STA and the current AP.
  • In addition, the current AP and destination AP adopt the following way to verify certificates thereof for each other:
  • the current AP sends a pre-authentication initiation packet to the destination AP, and the pre-authentication initiation packet includes a certificate of the current AP and a signature of the current AP;
  • after receiving the pre-authentication initiation packet, the destination AP verifies the signature of the current AP, and after the verification is successful, the destination AP sends a certificate authentication request packet to an authentication server, and the certificate authentication request packet includes the certificate of the current AP, the certificate of the destination AP and a signature of the destination AP; and
  • after receiving the certificate authentication request packet, the authentication server verifies the signature of the destination AP, and after the signature is verified successfully, the authentication server verifies the certificates of the current AP and the destination AP, and sending a certificate authentication response packet including certificate verification results and a signature of the authentication server to the destination AP and the current AP.
  • In addition, the key information further includes a unicast session key generated by negotiation between the STA and the current AP;
  • after receiving the key information, the destination AP also uses the unicast session key to negotiate with the STA to generate a multicast key.
  • In addition, if the certificate of the destination AP is verified to be invalid, the current AP releases a link relationship of the current AP and the destination AP, and informs the STA that the destination AP is illegal.
  • The present invention also provides a wireless local area network system, and the system comprises a STA, a current AP which has set up security association with the STA, and a destination AP which supports a pre-authentication function, wherein
  • the current AP is used for, after receiving a pre-authentication start packet sent by the STA, interacting with the destination AP to verify certificates of the current AP and the destination AP for each other; and
  • if the certificate of the destination AP is verified to be valid, the current AP is further used for sending key information of the security association set up with the STA by the current AP to the destination AP; the destination AP saves the key information;
  • the key information includes a basic key generated by negotiation between the STA and the current AP.
  • In addition, the system further comprises an authentication server; the current AP and destination AP adopt the following way to verify certificates of the current AP and the destination AP for each other:
  • the current AP sending a pre-authentication initiation packet to the destination AP, the pre-authentication initiation packet including a certificate of the current AP and a signature of the current AP;
  • after receiving the pre-authentication initiation packet, the destination AP verifies the signature of the current AP, and after the verification is successful, the destination AP sends a certificate authentication request packet to the authentication server, the certificate authentication request packet including the certificate of the current AP, the certificate of the destination AP and a signature of the destination AP; and
  • after receiving the certificate authentication request packet, the authentication server verifies the signature of the destination AP, and after the verification is successful, the authentication server verifies the certificates of the current AP and the destination AP, and sends a certificate authentication response packet including certificate verification results and a signature of the authentication server to the destination AP and the current AP.
  • In addition, the key information further includes a unicast session key generated by negotiation between the STA and the current AP;
  • the destination AP is further used for, after receiving the key information, using the unicast session key to negotiate with the STA to generate a multicast key.
  • As a conclusion, the present invention is based on the WAPI three-element security frame idea, makes use of the security association that has been set up to carry out the identity authentication (certificate verification) on the untrusted AP. And after the identity authentication is completed, the current AP sends the key information (mainly a base key) to the destination AP. Through this optimized pre-authentication method, in a precondition of not reducing the system security performance, the interaction processes between each network element are reduced, and the aim of quickly pre-authenticating wireless local area network terminal is achieved.
    • BRIEF DESCRIPTION OF DRAWINGS
  • FIG. 1 is a flow chart of the certificate authentication process and the key negotiation process in the prior art;
  • FIG. 2 is a flow chart of the method for pre-authenticating the wireless local area network terminal according to an example of the present invention;
  • FIG. 3 is a schematic diagram of the format of the pre-authentication packet;
  • FIG. 4 is structural schematic diagram of the wireless local area network system which can implement the above method of the present invention.
    •  PREFERRED EMBODIMENTS OF THE PRESENT INVENTION
  • The core idea of the present invention is: after an AP which has set up a security association with a STA (called the current AP for short) receives a pre-authentication start packet sent by the STA, the current AP verifying the destination AP certificate through the authentication server, and after the certificate is verified successfully, the current AP sending the key information of the security association set up with the STA to the destination AP; and the destination AP saving said key information, thereby completing the pre-authentication.
  • Below it will describe the present invention with reference to the figures and examples in detail.
  • FIG. 2 is a flow chart of the method for pre-authenticating a wireless local area network terminal according to an example of the present invention, including the following steps:
  • 201: after setting up the security association with the current AP, the STA starts to scan APs actively or passively if the signal intensity of the current AP is lower than a preset threshold when the STA moves in the Extended Service Set (ESS).
  • 202: the STA judges whether the scanned APs support pre-authentication according to the WAPI information element field in the Beacon frame or the Probe Response frame, and establishes an AP priority list according to the signal intensity of the APs which support the pre-authentication; takes an AP with the highest priority as a destination AP, and then sends a pre-authentication start packet to the current AP.
  • The pre-authentication packet adopts the format defined in the WAPI protocol, as shown in FIG. 3, and the particular content can see the GB15629.11-2003/XG1-2006, wherein the length of the ADDID field is 12 bytes, and the value of this field is comprised of the MAC address of the initiator STA and the MAC address of the destination AP.
  • 203: after receiving the pre-authentication start packet, the current AP sends a pre-authentication initiation packet to the destination AP through the Distributed System (DS) to active the certificate authentication process.
  • The pre-authentication initiation packet includes information such as: the current AP certificate, the MAC addresses of the STA and the current AP, and the signature of the current AP and so on.
  • 204: after receiving the pre-authentication initiation packet, the destination AP verifies the signature of the current AP, and after the verification is successful, the destination AP sends a certificate authentication request packet to the authentication server to carry out the identity authentication.
  • The certificate authentication request packet includes information such as: the MAC address of the destination AP, the MAC address of the current AP, the destination AP certificate and the current AP certificate and so on.
  • 205: after receiving the certificate authentication request packet, the authentication server verifies the destination AP certificate and the current AP certificate, and includes the verification results of the destination AP certificate and the current AP certificate into a certificate authentication response packet, and attaches a signature of the authentication server, and then sends the certificate authentication response packet to the destination AP.
  • 206: after receiving the certificate authentication response packet, the destination AP verifies the signature of the authentication server, and if the signature is wrong, discards this certificate authentication response packet, or checks the verification result of the certificate of the current AP, and if the current AP certificate is valid, constructs a pre-authentication response packet, and sends the pre-authentication response packet to the current AP.
  • The pre-authentication response packet includes information such as: the signature of the destination AP, the signature of the authentication server, and the verification result of the destination AP certificate and so on.
  • 207: after receiving the pre-authentication response packet, the current AP verifies whether the signature of the destination AP and the signature of the authentication server are correct, and if any one of the signatures is wrong, discards this packet; or else checks whether the destination AP certificate is valid according to the verification result of the destination AP certificate, and if it is invalid, releases the link relationship between two APs and informs the STA that the destination AP is illegal; and if all of above checks are passed, the current AP sends the key information of the security association set up with the STA to the destination AP through DS;
  • Above key information includes BKSA parameters such as: a base key identifier (BKID), base key (BK) and so on; besides, the key information can further include USKSA parameters such as the unicast session key identifier (USKID), unicast session key (USK) and so on.
  • 208: after receiving the above key information, the destination AP uses the key encryption key (KEK) in the unicast session key to encrypt the notification master key (NMK) to generate the key data, and uses the message authentication key to calculate the message authentication code, and includes the key data and message authentication code into a multicast key notification packet and sends the multicast key notification packet to the STA.
  • 209: after receiving the multicast key notification packet, the STA checks the message authentication code, and after the check is passed, decrypts the key data to obtain the notification master key, and uses the KD-HMAC-SHA256 algorithm to expand the notification master key, and generates the multicast key (which includes 16 bytes multicast encryption key and 16 bytes integrity check key).
  • 210: the STA sends a multicast key response packet to the destination AP to complete the multicast key notification process.
  • 211: the destination AP sends a pre-authentication completion packet to the current AP through the DS to inform the current AP that the pre-authentication has been completed.
  • According to the basic principle of the present invention, above examples can also have a plurality of transformations, such as:
  • (1) in the step 207, the current AP can only send the BKSA parameters to the destination AP, and the destination AP uses the BK in the BKSA to negotiate with the STA to generate a new USK.
  • Certainly, the negotiation of the unicast session key can also be carried out after STA is switched to be the destination AP.
  • (2) the destination AP and the STA may not carry out the multicast key negotiation during the pre-authentication process until the STA is switched to be the destination AP.
  • (3) in the step 204, after receiving the pre-authentication initiation packet, the destination AP can directly sends a pre-authentication response packet including the destination AP certificate to the current AP, and the current AP sends a certificate authentication request packet including the current AP certificate and the destination AP certificate to the authentication server, and the authentication server verifies the current AP certificate and the destination AP certificate, and sends the verification result together with the key information to the destination AP.
  • (4) if both the destination AP and the current AP have the public key of the authentication server, the destination AP and the current AP can use this public key to verify the certificate of the other party, without sending the certificate to the authentication server. Certainly, in this situation, it cannot verify whether the certificate of the other party is revoked.
  • FIG. 4 is structural schematic diagram of the wireless local area network system which can implement the above method of the present invention. As shown in FIG. 4, this system includes: a STA, a current AP which has set up security association with said STA, and a destination AP which supports a pre-authentication function. Wherein:
  • said current AP is use for, after receiving a pre-authentication start packet sent by said STA, interacting with said destination AP to verify certificates of the two parties for each other;
  • If the certificate of the destination AP is verified to be valid, said current AP is also used for sending the key information of the security association set up with said STA to said destination AP; said destination AP stores said key information;
  • Said key information includes a basic key generated by negotiation between the STA and the AP.
  • The detailed functions and the connection relationships (interactive messaging relationship) of each network element in the system shown in FIG. 4 have been introduced in the description of the flow shown in FIG. 2, and herein it will not be described repeatedly.
    • INDUSTRIAL APPLICABILITY
  • The present invention is based on the WAPI three-element security frame idea, makes use of the security association that has been set up to carry out the identity authentication (certificate verification) on the untrusted AP. And after the identity authentication completes, the current AP sends the key information (mainly a base key) to the destination AP. Through this optimized pre-authentication method, in a precondition of not reducing the system security performance, the interaction processes between each network element are reduced, and the aim of quickly pre-authenticating the wireless local area network terminal is achieved.

Claims (7)

1. A method for pre-authenticating a wireless local area network terminal, comprising:
after a current access point (AP) which has set up security association with a station (STA) receiving a pre-authentication start packet sent by said STA, the current AP interacting with a destination AP to verify certificates of the current AP and the destination AP for each other; and
if a certificate of said destination AP is verified to be valid, said current AP sending key information of the security association set up with said STA by said current AP to said destination AP, and said destination AP saving said key information;
wherein said key information includes a basic key generated by negotiation between said STA and said current AP.
2. The method as claimed in claim 1, wherein
said current AP and destination AP adopt the following way to verify certificates thereof for each other:
said current AP sends a pre-authentication initiation packet to said destination AP, and said pre-authentication initiation packet includes a certificate of said current AP and a signature of said current AP;
after receiving said pre-authentication initiation packet, said destination AP verifies the signature of said current AP, and after the verification is successful, the destination AP sends a certificate authentication request packet to an authentication server, and said certificate authentication request packet includes the certificate of said current AP, the certificate of said destination AP and a signature of said destination AP; and
after receiving the certificate authentication request packet, said authentication server verifies the signature of said destination AP, and after the signature is verified successfully, the authentication server verifies the certificates of said current AP and said destination AP, and sending a certificate authentication response packet including certificate verification results and a signature of said authentication server to said destination AP and the current AP.
3. The method as claimed in claim 1, wherein
said key information further includes a unicast session key generated by negotiation between said STA and said current AP;
after receiving said key information, said destination AP also uses said unicast session key to negotiate with said STA to generate a multicast key.
4. The method as claimed in claim 1, wherein
if the certificate of said destination AP is verified to be invalid, said current AP releases a link relationship of said current AP and said destination AP, and informs said STA that said destination AP is illegal.
5. A wireless local area network system, and said system comprising a STA, a current AP which has set up security association with said STA, and a destination AP which supports a pre-authentication function, wherein
said current AP is used for, after receiving a pre-authentication start packet sent by said STA, interacting with said destination AP to verify certificates of the current AP and the destination AP for each other; and
if the certificate of said destination AP is verified to be valid, said current AP is further used for sending key information of the security association set up with said STA by said current AP to said destination AP;
said destination AP saves said key information;
wherein said key information includes a basic key generated by negotiation between said STA and said current AP.
6. The system as claimed in claim 5, wherein
said system further comprises an authentication server;
said current AP and destination AP adopt the following way to verify certificates of the current AP and the destination AP for each other:
said current AP sending a pre-authentication initiation packet to said destination AP, said pre-authentication initiation packet including a certificate of said current AP and a signature of said current AP;
after receiving said pre-authentication initiation packet, said destination AP verifies the signature of said current AP, and after the verification is successful, the destination AP sends a certificate authentication request packet to said authentication server, said certificate authentication request packet including the certificate of said current AP, the certificate of said destination AP and a signature of said destination AP; and
after receiving the certificate authentication request packet, said authentication server verifies the signature of said destination AP, and after the verification is successful, the authentication server verifies the certificates of said current AP and said destination AP, and sends a certificate authentication response packet including certificate verification results and a signature of said authentication server to said destination AP and said current AP.
7. The system as claimed in claim 5, wherein
said key information further includes a unicast session key generated by negotiation between said STA and said current AP;
said destination AP is further used for, after receiving said key information, using said unicast session key to negotiate with said STA to generate a multicast key.
US13/257,749 2009-04-08 2009-08-20 Wireless local area network terminal pre-authentication method and wireless local area network system Expired - Fee Related US8533461B2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN2009101337257A CN101527908B (en) 2009-04-08 2009-04-08 Method for pre-identifying wireless local area network terminal and wireless local area network system
CN200910133725 2009-04-08
CN200910133725.7 2009-04-08
PCT/CN2009/073377 WO2010115326A1 (en) 2009-04-08 2009-08-20 Wireless local area network terminal pre-authentication method and wireless local area network system

Publications (2)

Publication Number Publication Date
US20120017088A1 true US20120017088A1 (en) 2012-01-19
US8533461B2 US8533461B2 (en) 2013-09-10

Family

ID=41095556

Family Applications (1)

Application Number Title Priority Date Filing Date
US13/257,749 Expired - Fee Related US8533461B2 (en) 2009-04-08 2009-08-20 Wireless local area network terminal pre-authentication method and wireless local area network system

Country Status (4)

Country Link
US (1) US8533461B2 (en)
EP (1) EP2418883B1 (en)
CN (1) CN101527908B (en)
WO (1) WO2010115326A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120060205A1 (en) * 2009-05-14 2012-03-08 China Iwncomm Co., Ltd. Method and system for station switching when wireless terminal point completes wpi in convergent wlan
US8819778B2 (en) 2009-05-14 2014-08-26 China Iwncomm Co., Ltd. Method and system for switching station in centralized WLAN when WPI is performed by access controller
US20160014118A1 (en) * 2014-07-10 2016-01-14 Ricoh Company, Ltd. Access control method, authentication method, and authentication device
US9756450B1 (en) 2015-08-26 2017-09-05 Quantenna Communications, Inc. Automated setup of a station on a wireless home network
US20180097813A1 (en) * 2015-11-23 2018-04-05 International Business Machines Corporation Cross-site request forgery (csrf) prevention
CN109618334A (en) * 2018-11-21 2019-04-12 北京华大智宝电子系统有限公司 Control method and relevant device
US11122026B2 (en) * 2014-06-30 2021-09-14 International Business Machines Corporation Queue management and load shedding for complex authentication schemes

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7646710B2 (en) 2003-07-28 2010-01-12 Nortel Networks Limited Mobility in a multi-access communication network
US9723520B1 (en) 2005-12-20 2017-08-01 Microsoft Technology Licensing, Llc Location based mode switching for dual mode mobile terminals
CN102026196A (en) * 2010-12-30 2011-04-20 东莞宇龙通信科技有限公司 Authentication method based on WAPI ( wireless LAN authentication and privacy infrastructure), access point and mobile terminal
US8650622B2 (en) 2011-07-01 2014-02-11 Telefonaktiebolaget Lm Ericsson (Publ) Methods and arrangements for authorizing and authentication interworking
CN102883385B (en) * 2011-07-14 2016-06-29 智邦科技股份有限公司 The connection control method of wireless access point and portable wireless device
GB201211565D0 (en) 2012-06-29 2012-08-15 Microsoft Corp Determining availability of an acess network
GB201211568D0 (en) 2012-06-29 2012-08-15 Microsoft Corp Determining network availability based on geographical location
GB201211580D0 (en) 2012-06-29 2012-08-15 Microsoft Corp Determining suitablity of an access network
US20140242997A1 (en) * 2013-02-28 2014-08-28 Microsoft Corporation Wireless network selection
CN104283848B (en) 2013-07-03 2018-02-09 新华三技术有限公司 Terminal access method and device
US9979711B2 (en) * 2015-06-26 2018-05-22 Cisco Technology, Inc. Authentication for VLAN tunnel endpoint (VTEP)
CN106817219B (en) * 2015-12-01 2020-11-03 阿里巴巴集团控股有限公司 Method and device for negotiating session key
KR102134302B1 (en) * 2016-01-29 2020-07-15 텐센트 테크놀로지(센젠) 컴퍼니 리미티드 Wireless network access method and apparatus, and storage medium
CN110266384B (en) * 2019-06-28 2021-02-02 Oppo广东移动通信有限公司 Local area network communication control method and related product
CN111669756B (en) * 2020-07-24 2023-07-04 广西电网有限责任公司 System and method for transmitting access network information in WAPI network
CN112989395B (en) * 2021-04-28 2022-05-17 山东省计算中心(国家超级计算济南中心) Formal verification method and system for SM4 cryptographic algorithm

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040098586A1 (en) * 2002-11-15 2004-05-20 Rebo Richard D. Method for fast, secure 802.11 re-association without additional authentication, accounting and authorization infrastructure
US20070003062A1 (en) * 2005-06-30 2007-01-04 Lucent Technologies, Inc. Method for distributing security keys during hand-off in a wireless communication system
US20080051060A1 (en) * 2003-01-14 2008-02-28 Samsung Electronics Co., Ltd. Method for fast roaming in a wireless network
US8175058B2 (en) * 2004-01-22 2012-05-08 Telcordia Technologies, Inc. Mobility architecture using pre-authentication, pre-configuration and/or virtual soft-handoff
US8190124B2 (en) * 2004-10-22 2012-05-29 Broadcom Inc. Authentication in a roaming environment
US8218512B2 (en) * 2006-06-14 2012-07-10 Toshiba America Research, Inc. Distribution of session keys to the selected multiple access points based on geo-location of APs

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB1562911A (en) 1976-09-17 1980-03-19 Girling Ltd Hydraulically operated disc brakes for vehicles
US7103359B1 (en) * 2002-05-23 2006-09-05 Nokia Corporation Method and system for access point roaming
US7426550B2 (en) * 2004-02-13 2008-09-16 Microsoft Corporation Extensible wireless framework
CN1674497A (en) * 2004-03-26 2005-09-28 华为技术有限公司 Certification method for WLAN terminal switching in mobile network
CN1564524A (en) * 2004-03-26 2005-01-12 中兴通讯股份有限公司 Method of radio terminal charging fee in radio LAN
US20050243769A1 (en) * 2004-04-28 2005-11-03 Walker Jesse R Apparatus and method capable of pre-keying associations in a wireless local area network
US7236477B2 (en) * 2004-10-15 2007-06-26 Motorola, Inc. Method for performing authenticated handover in a wireless local area network
CN1225942C (en) * 2004-11-04 2005-11-02 西安西电捷通无线网络通信有限公司 Method of improving mobile terminal handover switching performance in radio IP system
CN101155396B (en) * 2006-09-25 2012-03-28 联想(北京)有限公司 Terminal node switching method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040098586A1 (en) * 2002-11-15 2004-05-20 Rebo Richard D. Method for fast, secure 802.11 re-association without additional authentication, accounting and authorization infrastructure
US20080051060A1 (en) * 2003-01-14 2008-02-28 Samsung Electronics Co., Ltd. Method for fast roaming in a wireless network
US8175058B2 (en) * 2004-01-22 2012-05-08 Telcordia Technologies, Inc. Mobility architecture using pre-authentication, pre-configuration and/or virtual soft-handoff
US8190124B2 (en) * 2004-10-22 2012-05-29 Broadcom Inc. Authentication in a roaming environment
US20070003062A1 (en) * 2005-06-30 2007-01-04 Lucent Technologies, Inc. Method for distributing security keys during hand-off in a wireless communication system
US8218512B2 (en) * 2006-06-14 2012-07-10 Toshiba America Research, Inc. Distribution of session keys to the selected multiple access points based on geo-location of APs

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Kassab et al., Fast Pre-Authentication Based on Proactive Key Distribution for 802.11 Infrastructure Networks, ACM, 2005. *
Mishra et al., Proactive Key Distribution using Neighbor Graphs, IEEE, 2004. *
Pack et al., Pre-Authenticated Fast Handoff in a Public Wireless LAN Based on IEEE 802.1x Model, PWC Proceedings, 2002. *
Schneier, Applied Cryptography, John Wiley & Sons, 1996, pp. 576-77. *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120060205A1 (en) * 2009-05-14 2012-03-08 China Iwncomm Co., Ltd. Method and system for station switching when wireless terminal point completes wpi in convergent wlan
US8750521B2 (en) * 2009-05-14 2014-06-10 China Iwncomm Co., Ltd. Method and system for station switching when wireless terminal point completes WPI in convergent WLAN
US8819778B2 (en) 2009-05-14 2014-08-26 China Iwncomm Co., Ltd. Method and system for switching station in centralized WLAN when WPI is performed by access controller
US11122026B2 (en) * 2014-06-30 2021-09-14 International Business Machines Corporation Queue management and load shedding for complex authentication schemes
US20160014118A1 (en) * 2014-07-10 2016-01-14 Ricoh Company, Ltd. Access control method, authentication method, and authentication device
US9667625B2 (en) * 2014-07-10 2017-05-30 Ricoh Company, Ltd. Access control method, authentication method, and authentication device
US9756450B1 (en) 2015-08-26 2017-09-05 Quantenna Communications, Inc. Automated setup of a station on a wireless home network
US20180097813A1 (en) * 2015-11-23 2018-04-05 International Business Machines Corporation Cross-site request forgery (csrf) prevention
US10652244B2 (en) * 2015-11-23 2020-05-12 International Business Machines Corporation Cross-site request forgery (CSRF) prevention
CN109618334A (en) * 2018-11-21 2019-04-12 北京华大智宝电子系统有限公司 Control method and relevant device

Also Published As

Publication number Publication date
EP2418883A1 (en) 2012-02-15
WO2010115326A1 (en) 2010-10-14
CN101527908B (en) 2011-04-20
CN101527908A (en) 2009-09-09
US8533461B2 (en) 2013-09-10
EP2418883A4 (en) 2013-03-13
EP2418883B1 (en) 2014-04-23

Similar Documents

Publication Publication Date Title
US8533461B2 (en) Wireless local area network terminal pre-authentication method and wireless local area network system
JP6732095B2 (en) Unified authentication for heterogeneous networks
TWI507059B (en) Mobile station and base station and method for deriving traffic encryption key
US8374582B2 (en) Access method and system for cellular mobile communication network
KR100704675B1 (en) authentication method and key generating method in wireless portable internet system
JP5678138B2 (en) Enhanced security for direct link communication
US8762710B2 (en) Method and system for updating and using digital certificates
AU2007292554B2 (en) Method and apparatus for establishing security associations between nodes of an ad hoc wireless network
EP2296392A1 (en) Authentication method, re-certification method and communication device
US8959333B2 (en) Method and system for providing a mesh key
CA2983550A1 (en) Devices and methods for client device authentication
WO2009097789A1 (en) Method and communication system for establishing security association
WO2010127539A1 (en) Method and system for authenticating accessing to stream media service
WO2011120249A1 (en) Multicast key negotiation method suitable for group calling system and a system thereof
EP3413508A1 (en) Devices and methods for client device authentication
KR101718096B1 (en) Method and system for authenticating in wireless communication system
US20120017080A1 (en) Method for establishing safe association among wapi stations in ad-hoc network
CN101742492B (en) Key processing method and system
CN1964259B (en) A method to manage secret key in the course of switch-over
US20090110196A1 (en) Key management system and method for wireless networks
CN102404736B (en) Method and device for WAI Certificate authentication
KR20130085170A (en) Method and apparatus for shortening authentication process during a handover of a user terminal in radio network

Legal Events

Date Code Title Description
AS Assignment

Owner name: ZTE CORPORATION, CHINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LIU, JIABING;SHI, YUANQING;LIANG, JIEHUI;REEL/FRAME:026935/0286

Effective date: 20110907

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20210910